FBI and Google Dismantle NetNut Proxy Network Used by Hackers

▼ Summary
– The FBI and Google’s Threat Intelligence Group disrupted NetNut, a major commercial residential proxy network, by seizing hundreds of domains and targeting its digital infrastructure.
– NetNut’s Popa botnet co-opted over two million consumer devices, including smart TVs, by embedding deceptive software in apps to use home internet connections as proxy exit nodes.
– At least 316 threat clusters used NetNut exit nodes for cybercrimes like password spraying, credential stuffing, advertising fraud, and data scraping in a single week in June 2026.
– NetNut is linked to Alarum Technologies Ltd, a publicly traded Israeli firm, whose executive leadership has ties to the original developers of the malicious Popa SDK.
– Google disabled NetNut’s accounts, updated Google Play Protect, and removed apps with compromised SDKs, significantly degrading the proxy network’s operations.
In a sweeping international law enforcement effort, the FBI and Google’s Threat Intelligence Group have successfully dismantled NetNut, one of the world’s largest commercial residential proxy networks. This coordinated operation, which also involved Lumen Technologies, the Shadowserver Foundation, and the IRS Criminal Investigation division, targeted the digital backbone of the massive proxy service and resulted in the seizure of hundreds of domains.
At the core of this takedown is the ‘Popa’ botnet, a stealth communications layer that security researchers have been tracking for some time. The botnet commandeered over two million consumer devices globally, including smart TVs, streaming media boxes, and unofficial apps like SmartTube. By embedding deceptive software development kits (SDKs) into off-brand Android devices, NetNut effectively turned ordinary home electronics into residential proxy exit nodes. This allowed malicious traffic to route through legitimate domestic IP addresses, bypassing standard data center blocks and security filters.
A Google report published on July 2 reveals the scale of the abuse. In a single week in June 2026, at least 316 distinct threat clusters utilized NetNut exit nodes to conduct password-spraying campaigns, credential stuffing, advertising fraud, and sensitive data scraping. Unlike typical underground botnets, NetNut has been linked to a commercial enterprise: Alarum Technologies Ltd, a publicly traded Israeli firm listed on NASDAQ. Independent security investigations by Qurium and Synthient established direct links between Alarum’s executive leadership and the original developers of the malicious Popa SDK. While Alarum has historically marketed its software as a consensual bandwidth-sharing tool, technical reviews found that hijacked host applications failed to present users with any clear notice or consent prompt.
In response to the FBI’s seizure of certain NetNut-associated domains, Alarum issued a statement: “Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account.” The Google report does not explicitly mention Alarum, but researchers assessed with high confidence that many popular residential proxy brands are simply whitelabeling the NetNut botnet through its robust reseller program. The company also cites public reports by Synthient, Spur, and Nokia Deepfield documenting NetNut’s role in infecting devices with Mirai distributed denial-of-service (DDoS) botnets.
To prevent the network from easily rebuilding, Google deployed immediate technical mitigations alongside the FBI’s legal actions. The company disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to automatically warn Android users, and disabled apps containing the compromised SDKs. “We believe our coordinated actions have caused significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions,” Google said. This action builds on the disruption of the IPIDEA proxy network that took place in January 2026.
The initial phase of the takedown sparked some confusion within the threat intelligence community. While the FBI’s seizure banner appeared on netnut.com, the primary commercial domain netnut.io temporarily remained active. Some online commentators suggested law enforcement might have targeted the wrong domain. However, security experts clarified that both domains are tied to the same operation. While seizing the primary commercial domain may take longer due to registrar and jurisdictional differences, the botnet’s backend command-and-control servers were successfully targeted and dismantled, severely degrading the network’s overall operations.
(Source: Infosecurity Magazine)